--- # task/configure file for vault - name: "Vault | Create vault.env" ansible.builtin.template: src: vault.env.j2 dest: "{{ vault_config_dir }}/vault.env" owner: "{{ vault_user }}" group: "{{ vault_group }}" mode: "0600" register: _vault_env_file - name: "Vault | Copy vault.json template" ansible.builtin.template: src: vault.json.j2 dest: "{{ vault_config_dir }}/vault.json" owner: "{{ vault_user }}" group: "{{ vault_group }}" mode: "0600" register: _vault_config_file - name: "Vault | Set restart-check variable" ansible.builtin.set_fact: _vault_service_need_restart: true when: _vault_env_file.changed or _vault_config_file.changed - name: "Vault | Gather initial checksums for certificate files" ansible.builtin.stat: path: "{{ item }}" checksum_algorithm: sha1 loop: "{{ vault_certificates_reload_watchlist }}" when: vault_enable_tls register: _vault_initial_cert_checksums - name: "Vault | Normalize initial checksums" ansible.builtin.set_fact: # This needs to be optimized, but I have spent so much time on it not # working that I will keep it as is for now, and we'll see later. _vault_initial_checksums_normalized: >- {% filter trim %} {% set checksums = [] %} {% for item in _vault_initial_cert_checksums.results %} {% set _ = checksums.append({ 'item': item.item, 'initial_checksum': (item.stat.checksum | default('absent')) }) %} {% endfor %} {{ checksums }} {% endfilter %} when: vault_enable_tls - name: "Vault | Copy extra configuration files" when: vault_extra_files block: - name: "Vault | Get extra file types" ansible.builtin.stat: path: "{{ item.src }}" loop: "{{ vault_extra_files_list }}" register: vault_extra_file_stat delegate_to: localhost - name: "Vault | Set list for file sources" vars: _vault_file_sources: [] ansible.builtin.set_fact: _vault_file_sources: "{{ _vault_file_sources + [item.item] }}" when: item.stat.isreg loop: "{{ vault_extra_file_stat.results }}" loop_control: loop_var: item delegate_to: localhost - name: "Vault | Set list for directory sources" vars: _vault_dir_sources: [] ansible.builtin.set_fact: _vault_dir_sources: "{{ _vault_dir_sources + [item.item] }}" when: item.stat.isdir loop: "{{ vault_extra_file_stat.results }}" loop_control: loop_var: item delegate_to: localhost - name: "Vault | Template extra file sources" ansible.builtin.template: src: "{{ item.src }}" dest: "{{ item.dest | regex_replace('\\.j2$', '') }}" owner: "{{ vault_user }}" group: "{{ vault_group }}" mode: "0700" loop: "{{ _vault_file_sources }}" when: _vault_file_sources is defined - name: "Vault | Template extra directory sources" ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml loop: "{{ _vault_dir_sources }}" loop_control: loop_var: dir_source_item when: _vault_dir_sources is defined - name: "Vault | Gather final checksums for certificate files" ansible.builtin.stat: path: "{{ item }}" checksum_algorithm: sha1 loop: "{{ vault_certificates_reload_watchlist }}" when: vault_enable_tls register: _vault_final_cert_checksums - name: "Vault | Normalize final checksums" ansible.builtin.set_fact: # This needs to be optimized, but I have spent so much time on it not # working that I will keep it as is for now, and we'll see later. _vault_final_checksums_normalized: >- {% filter trim %} {% set checksums = [] %} {% for item in _vault_final_cert_checksums.results %} {% set _ = checksums.append({ 'item': item.item, 'final_checksum': (item.stat.checksum | default('absent')) }) %} {% endfor %} {{ checksums }} {% endfilter %} when: vault_enable_tls - name: "Vault | Merge initial and final checksum lists" ansible.builtin.set_fact: _vault_checksums_list: >- {{ _vault_initial_checksums_normalized | community.general.lists_mergeby(_vault_final_checksums_normalized, 'item') }} when: vault_enable_tls - name: "Vault | Determine if certificates have changed or were newly added" ansible.builtin.set_fact: _vault_service_need_reload: true when: - vault_enable_tls - _vault_checksums_list | json_query('[?initial_checksum!=final_checksum]') | list| length > 0